From 6495cc0189c482d563cf0ee565efff2c51416c9d Mon Sep 17 00:00:00 2001 From: Monkey Do Date: Mon, 24 Jan 2022 15:19:37 +0100 Subject: [PATCH] chore(linting): Separate linting workflow for push to master and PRs We have issues with committing code to forked repos (https://github.com/wearerequired/lint-action/issues/13) and concerns about giving permissions to untrusted forks (https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) --- .github/workflows/lint-pull-requests.yml | 46 ++++++++++++++++++++++++ .github/workflows/lint.yml | 17 ++++----- 2 files changed, 55 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/lint-pull-requests.yml diff --git a/.github/workflows/lint-pull-requests.yml b/.github/workflows/lint-pull-requests.yml new file mode 100644 index 0000000000..716c093657 --- /dev/null +++ b/.github/workflows/lint-pull-requests.yml @@ -0,0 +1,46 @@ +# Run ESLint on pull requests (limited permissions) + +name: Lint pull requests + +# Controls when the action will run. +on: + # Triggers the workflow on pull request events in the context of the fork + # trying to sidestep limitations here: https://github.com/wearerequired/lint-action/issues/13 + pull_request_target: + +# Limit permissions of the token +# When running an untrusted fork, we don't want to give write permissions +# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +permissions: + checks: write # Allows the creation of annotations on forks + contents: read # Don't allow untrusted forks write access + +concurrency: + group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + run-linters-pull-request: + name: Run linters for pull requests + runs-on: ubuntu-latest + + steps: + - name: Check out repository + uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + # Also check out Lobes bootstrap theme submodule + submodules: true + + - name: NPM install + uses: bahmutov/npm-install@v1 + + - name: Run linters + uses: wearerequired/lint-action@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + eslint: true + # Auto-fix requires write permissions to commit changes, which we don't want to allow + # See https://github.com/wearerequired/lint-action/issues/13 + auto_fix: false + diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d3bd8bc14f..297dd20e5b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,15 +1,16 @@ -# Run ESLint with autofix +# Run ESLint with autofix on push to master branch -name: Lint +name: Lint and autofix issues -# Controls when the action will run. +# Controls when the action will run. on: # Triggers the workflow on push events for the master branch push: branches: [ master ] - # Triggers the workflow on pull request events in the context of the fork - # trying to sidestep limitations here: https://github.com/wearerequired/lint-action/issues/13 - pull_request_target: + +concurrency: + group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.head_ref || github.ref }} + cancel-in-progress: true jobs: run-linters: @@ -24,9 +25,9 @@ jobs: submodules: true - name: NPM install - uses: bahmutov/npm-install@v1 + uses: bahmutov/npm-install@v1 - - name: Run linters + - name: Run linters and autofix issues uses: wearerequired/lint-action@v1 with: github_token: ${{ secrets.GITHUB_TOKEN }}